MySpace Quietly Fixes Bug that Gave Voyeurs Access to Teens’ Private Photos
From security researcher/journalist Kevin Poulsen at Wired’s Threat Level:
The bug had been around since at least October (Thanks to Rose for tipping me off), during which time it had been gleefully exploited by voyeurs, hackers, entrepreneurs and lechers; you can find pages and pages of public message board comments around the web in which posters are peeking in on 14 and 15-year-old girls and sharing what they find.
Ad-supported web sites with names like Can’t Hide and MySpacePrivateProfile.com emerged to earn a buck off the glitch. One such site reports that its users have accessed, or attempted to access, 77,000 private profiles — 3,000 of them today.
The day after he reported it to MySpace, they fixed it. Good for them. And the websites that exploited the vulnerability aren’t delivering private photos any more. Hold on, though: why hadn’t they fixed it earlier? Kevin ends with
That seems to leave just two possibilities:
- MySpace didn’t know this was going on before.
- MySpace knew about it, but didn’t take action until the press noticed.
I’ll have more next week.
We shall see …
Claims by MySpace, Facebook, or any other online service that they protect people’s personal information only hold water if they pay a lot of attention to security when they’re building their software and running their site. One of the objections to the potential email list in the MySpace “child safety” agreement with state attorneys general was that the list would be valuable to spammers and scammers as well as child predators. Situations like this, or the recent compromise of thousands of accounts on adult web sites where the company similarly didn’t react for months, show how real this issue is.
[…] concerns have articulated here: Facebook’s repeated breaches of trust and closed environment, MySpace’s chronic problems with security, the panoptic and advertising-focused aspects of both, the cost of tweets via SMS on Twitter, the […]
Pingback by Tales from the Net » The Economist’s debate: why I’m voting ‘pro’ — January 24, 2008 @ 10:11 pm
Kevin’s followup story describes how somebody downloaded pictures from 44,000 profiles and released them on BitTorrent by exploiting this bug. It’s not clear what percentage of the 500,000+ pictures were intended to be private, but still …
In the Slashdot discussion, TheNinjaRoach pointed out that if you have the URL to a picture, you can view it even if it’s supposed to be private. It’s not obvious how to exploit it, but there may still be an unblocked path to mass downloads of private pics.
The article also notes
Comment by Jon — January 27, 2008 @ 7:48 am
My comments from the article:
Comment by Jon — January 27, 2008 @ 8:08 am
[…] Over on Tales from the Net, I’ve been discussing Kevin Poulsen’s articles about a MySpace security bug that allowed access to photos in profiles that had been marked as “private”.  It had been well known for months, but MySpace didn’t fix it until the day after Kevin’s first article. In the interim, somebody wrote an automated script to download photos, and released 500,000 of them on the BitTorrent p2p network. […]
Pingback by Liminal states » Archive » How’d it get through QA — and why didn’t they fix it? — January 31, 2008 @ 7:19 pm